Efficient ID-based Threshold Signature Schemes
without Pairings
Jun Shao, Zhenfu Cao, and Licheng Wang Department of Computer Science and Engineering
Shanghai Jiao Tong University 200030, Shanghai, China P.R.C
chn.junshao@gmail.com, caozf@cs.sjtu.edu.cn, wanglc@sjtu.edu.cn
Abstract. The focus of this paper is to design an efficient and secure so-lution addressing the key escrow problem in ID-based signature schemes, i.e., the Private Key Generator (PKG) knows the user’s private key, which damages the essential requirement–“non-repudiation” property of signature schemes. In this paper, we proposed two ID-based threshold signature schemes, which both reach Girault’s trusted level 3, and in which there exists only one PKG in our ID-based threshold signature schemes. In particular, the second scheme has another good property: it does not require trusting any particular party at any time.
Compared with the previous schemes, our schemes do not need to com-pute pairings, which make them be more efficient than those schemes. Furthermore, our ID-based signature schemes increase the availability of the signing agency and the difficulty for the adversary to learn the private key.
1
Introduction
Certificate-based cryptography allows the user to use an arbitrary string, un-related to his identity, as his public key. When another user wants to use this public key, she must obtain an authorized certificate that contains this public key. This creates the certificate management problem. For reasons of efficiency and convenience, it is desirable to design a signature scheme without certificate management.
To address this problem, Shamir introduced the concept of ID-based pub-lic key cryptography [Sha84], in 1984. In this kind of pubpub-lic key cryptography, the user’s public key is the user’s identity information, e.g., the email address, while the private key is computed from the public key by a Private Key Gen-erator (PKG) who has knowledge of a master secret. As a result, the certificate management problem can be eliminated.
all users, so he is able to impersonate any user. In particular, in ID-based signa-ture schemes, it removes the essential requirement, “non-repudiation”, of digital signature schemes.
To address this key escrow problem, many researchers [BF03,BZ04a,BZ04b,CZKK04] suggested extending ID-based cryptography to be ID-based threshold cryptog-raphy. Using an ID-based threshold signature scheme, digital signatures can be produced by a group of players rather than by one party. Compared with the regular ID-based signature schemes where the signer is single entity which holds the private key, in ID-based threshold signature schemes the private key is shared by a group ofnplayers. In order to produce a valid signature on a given message m, the number of the participant players must attain the given threshold value, the signature can be created. More precisely, a typical (t, n) ID-based threshold signature scheme follows the three basic properties:
– Anytor more players in the group can cooperate with each other to generate a valid group signature, while they don’t reveal any information about their sub-secret keys or the private key.
– Anyt−1 or fewer players in the group cannot create a valid group signature, even after producing many signatures on different messages.
– Any verifier can verify the group signature with only knowing the group identity and the public key of the PKG. In other words, the signature is pro-duced in an ID-based threshold signature scheme is the same as if propro-duced in a regular ID-based signature scheme. In particular, verification of the signature is dependent of the way the signature generation is implemented. Besides removing the key escrow problem, an (t, n) ID-based threshold sig-nature scheme has another two advantages: (1) increasing the availability of the signing agency, since if onlytplayers perform the scheme honestly, the signature can be generated successfully; (2) increasing the difficulty for the adversary to learn the private key, since only the adversary corruptstor more players, he can learn the private key.
1.1 Previous Work
not only solves the key escrow problem, but also removes the disadvantages of Boneh and Franklin’s method. To our best knowledge, though there exists a particular party knows the private key in Chen et al.’s scheme, it is considered as the best solution among the existing schemes. In this paper, we get better solutions: more efficient (in terms of computational complexity) and more secure (no particular party knows the private key).
1.2 Our Contribution
We present two ID-based threshold signature schemes which enjoy the following properties.
Provable security: Based on the Schnorr’s signature scheme [Sch91], we first propose a new ID-based signature scheme without bilinear pairings, which is provably secure in the random oracle model and achieves the Girault’s trusted level 3 [Gir91] (i.e., the PKG does not know (or cannot easily compute) the users private keys. Moreover, it can be proved that the PKG generated false public keys of users if it does so.). Based on the proposed ID-based signature scheme, we propose two provably secure ID-based threshold signature schemes.
Efficiency: Since there is no bilinear pairings in our schemes, our schemes are more efficient than the existing schemes. We will give the performance evaluation in Section 7.
Flexible thresholds: The value of threshold is up to the users.
Assumed trust: In our first ID-based threshold signature scheme, the group manager should be trusted, since he knows the private key. While our second ID-based threshold signature scheme does not require trusting any particular party at any time, including during the generation of private key.
Limited power of the PKG: In our both ID-based threshold signature schemes, the only thing the PKG can do is to cooperate with the user to generate the user’s private key. However, the PKG cannot learn the user’s private. If the PKG generates the user’s private key by himself, it can be detected.
1.3 Organization
2
Model and Definitions
In this section we review the communication model and the definitions of secure ID-based threshold signature scheme.
Communication model. The players in our schemes include a set ofnplayers who are connected by an authenticated broadcast channel. In addition, all players are capable of private point-point communication over secure channels. Finally, we work in a synchronous communication model. These assumptions allow us to focus on high-level descriptions of the protocols. For the details, the reader can refer to [GJKR96][Section 2].
The adversary. Our (t, n) ID-based threshold signature schemes assume a non-adaptive adversary (static adversary) who may corrupt up tot−1 players in advance of protocol execution. The adversary has access to all information available to the corrupted players, including their sub-secrets, messages they receive, and messages broadcast to all players. Furthermore, the adversary can cause player to deviate arbitrarily from the protocol.
ID-based signature scheme. Recall that ID-based signature scheme S is consisted of four random protocols: Setup, Extract,Sign, Verify. The Setup protocol takes as input the security parameterk, and generatesparams(system parameters) and master-key. The Extract protocol takes as input a user’sID and the master key, and returns the user’s private key, denoted bydID. TheSign protocol signs messages using the user’s private key and the Verify protocol verifies signatures using the user’sIDandparams. However, in order to achieve Girault’s trusted level 3, we modify theExtractprotocol slightly in this paper, i.e., add the data chosen by the user to the input.
The notion of security for ID-based signature scheme was formally defined in [CC03]. The following definition captures the notion: existential unforgeability against adaptively chosen identity and message attack.
Definition 2.1. We say that an ID-based signature schemeS(Setup,Extract,
Sign, Verify) is unforgeable if no adversary who is given the public key of the PKG generated by Setup, the private keys of k1 identitiesIDi1,· · ·, IDik1
adaptively chosen, and the signatures ofk2 tuples(IDj1, mj1),· · ·,(IDjk2, mjk2)
adaptively chosen, can produce the signature on a new messagemunder the iden-tityID(i.e.,ID6∈ {IDi1,· · ·, IDik1},(ID, m)6∈ {(IDj1, mj1),· · ·,(IDjk2, mjk2)})
with non-negligible probability.
Setup. Identical to that in ID-based signature scheme.
Thresh-Extract. According to whether there exists a particular party knowing the private key, this protocol can be categorized aswith orwithout a group manager. In the former one, there are a PKG, a group manager, andn play-ers. Firstly, the group manager gets the private key through an interactive protocol with the PKG. Secondly, the group manager distributes the private key to thenplayers through some verifiable secrete sharing scheme. In the latter one, there are only a PKG andn players. The private key is jointly generated by the PKG and thesenplayers. In both of two, the public key is always the identityID of thesenplayers.
Thresh-Sign. It is the distributed signature protocol. The private input of playerPi is his share of the private key. The public key inputs consist of a messagemand the identityIDof thesenplayers. The output of the protocol is a signature for messagemunder the identity ID.
Verify. Identical to that in ID-based signature scheme.
From the verifier’s viewpoint, ID-based threshold signature scheme is the same as ID-based signature scheme.
Secure ID-based threshold signature scheme. Following the idea in [GJKR96], the definition of security for ID-based threshold signature scheme includes both
unforgeability androbustness.
Definition 2.2. We say that a(t, n)ID-based threshold signature schemeT S=(Setup,
Thresh-Extract, Thresh-Sign, Verify) is unforgeable, if no adversary who corrupts at mostt−1players, and is given the view ofT hresh−Extracton input
k1identitiesIDi1,· · ·, IDik1 adaptively chosen, and ofThresh-Signon inputk2
tuples (IDj1, mj1),· · ·,(IDjk2, mjk2) adaptively chosen, can produce the
signa-ture on a new message munder the identity ID (i.e., ID6∈ {IDi1,· · ·, IDik1},
(ID, m)6∈ {(IDj1, mj1),· · ·,(IDjk2, mjk2)}) with non-negligible probability.
Definition 2.3. An ID-based threshold signature schemeT S=(Setup,Thresh-Extract,
Thresh-Sign,Verify) is(t, n)robust if in a group ofnplayers, even in the pres-ence of an adversary who corrupts at most t−1 players, bothThresh-Extract
andThresh-Sign can complete successfully.
3
The Schnorr’s Signature Scheme.
The Schonrr’s signature scheme [Sch91] is a signature scheme based on the dis-crete logarithm problem, which can be proved secure against the adaptively chosen message attack in the random oracle model. It consists of the following three protocols:Setup,Sign,Verify.
Setup. It takes as input a security parameter 1k and outputs a public key (p, q, g, H(·), y) and a secret key x, where p and q are two large primes, q|p−1, g is a generator of order q in Zp, H(·) is a cryptographic hash function:{0,1}∗→Z∗
Sign. To sign a messagem, the user does the following performances. (1) choose a randomr∈Z∗
q, (2) computeR =grmodp, and (3) set the signature to be (R, σ), whereσ=r+xH(m||R) modq.
Verify. To verify a signature (R, σ) for message m, the verifier does: check gσ =? RyH(m||R)modp. If it holds, the signature is valid; otherwise, the
signature is invalid.
4
Basic Tools
In this section we recall Feldman’s verifiable secret sharing protocol [Fel87], de-noted here byProtocol VSS, and the secure distributed key generation protocol [GJKR99], denoted here byProtocol DKG.1
We say an issue is acomplaint if the share of a player cannot pass the verified equation, and the player asks the dealer to reveal his share. We say a dealer is
disqualified if more thantplayers broadcast complaints against the dealer. A high-level descriptions of the Protocol VSS and the Protocol DKG are given in Figure 1 and Figure 2, respectively.p,qare two large primes, and they satisfyq|p−1, andg,hare two random generators ofZpof orderq. For details, the reader can refer to [Fel87,GJKR99].
5
New ID-based Signature Scheme
In this section, we propose our ID-based signature scheme without pairings, which is based on the Schnorr’s signature scheme. Follow the definition of ID-based signature schemes, it consists of the following four protocols.
Setup. Given security parameterk1, k2∈Z+, the protocol works as follows:
Step 1: Choose ak1-bit primepand ak2-bit primeq, such thatq|p−1.
Step 2: Choose a generatorgof orderq inZp. Step 3: Choose a randomx∈Z∗
q, and computey=gxmodp.
Step 4: Choose two cryptographic hash functions H1(·) and H2(·), such
thatH1:{0,1}∗→Zq∗,H2:{0,1}∗→Zq∗.
The public key of PKG is (p, q, g, y, H1(·), H2(·)), and the corresponding
master key isx.
Extract. It is an interactive protocol between the user and the PKG.
1. The user first chooses a randomrID∈Zq∗, and computesRID=grID mod p. At last, the user sends (ID, RID) to the PKG.
2. Upon receiving (ID, RID), the PKG does: (1) choose a randomrP KG∈ Z∗
q, (2) compute RP KG = grP KG modp, and (3) set the private key skID←(RP KG, dID), wheredID=rP KG+xH1(ID||RID||RP KG) mod q. At last, the PKG sends the private key to the user.
1 The protocols in this paper are slightly different from the original ones, however,
Protocol VSS participants:a dealer,nplayersPi(i= 1,· · ·, n).
input:r,R,p,q,g, such thatR=grmodp.
1. The dealer performs as follows.
(a) Chooses a random polynomialf(x) overZqof degreet−1:
f(x) =
t−1 X
i=0 aixi,
such thatf(0) =a0=r.
(b) BroadcastAi=gf(i)modpfori= 0,· · ·, n. Notice thatA0=Rmodp.
(c) Compute the sharesri=f(i) modqfori= 1,· · ·, n and sendsri to player Piby a secret channel.
2. Upon receivingrifrom the dealer, each playerPidoes the following performances.
(a) Choose randomlyt Akj’s fromAk(k= 0,· · ·, i−1, i+ 1,· · ·, n).
(b) Check
gri =? A
i=? t−1 Y
j=0 Aλki,kj
j modp, (1)
whereλi,kj’s are the Lagrange interpolation coefficients. If it does not hold, playerPibroadcasts acomplaint against the dealer.
If more thantplayers complain then the dealer is clearly bad and he is disqualified. Otherwise, the dealer distributes the value oframong thesenplayers.
Protocol DKG participants:nplayersPi(i= 1,· · ·, n).
input:p,q,g,h.
1. Each playerPidoes the following performances.
(a) Choose two random numberriandr0ioverZq.
(b) Choose two random polynomialsfi(x),fi0(x) overZqof degreet−1:
fi(x) = t−1 X
j=0
aijxj, fi0(x) = t−1 X
j=0 bijxj,
such thatfi(0) =ai0=ri,fi0(0) =bi0.
(c) BroadcastAij=gaijhbij modpforj= 0,· · ·, t−1.
(d) Compute the sharesxij=fijmodpandx0ij=fij0 modpforj= 0,· · ·, t−1,
and sendxij, x0ij to playerPj.
(e) On receivingxji, x0jifrom playerPj, playerPichecks
gxjihx0ji=?
t−1 Y
k=0
(Ajk)i
k modp.
If it does not hold, playerPibroadcasts acomplaintagainst playerPj.
(f) Build the set of non-disqualified playersQUAL.
(g) If playerPiis inQUAL, he broadcastsBij=gfi(j)modpforj= 0,· · ·, n.
(h) For eachj∈QUAL,Pifirst choosest Bjkl’s (kl6=i, andl= 0, . . . , t−1), and
then checks
gxji=? B
ji ?
=
t−1 Y
l=0
(Bjkl)
λi,klmodp, (2)
and
Bj0 ?
=
t−1 Y
l=0
(Bjkl)
λ0,kl modp, (3)
whereλi,kl’s are the Lagrange interpolation coefficients. If one of them does not hold, playerPibroadcasts a complaintagainst playerPj.
(i) Rebuild the set of non-disqualified playersQUAL.
2. The distributed secret value x is not explicitly computed by any party, but it equals x = Pi∈QUALrimodq. Each player Pi sets his share of the secret as xi =
P
j∈QUALxjimodq. The corresponding public key of this group is y = Q
i∈QUALBi0modp.
3. Upon receiving the private key, the user checks gdID =? R
P KGyH1(ID||RID||RP KG)modp. (4) If it does not hold, the user broadcasts acomplaint against the PKG. 4. The private key of the user isskID=rID+dIDmodq, such that
gskID=R
IDRP KGyH1(ID||RID||RP KG)modp (5) Sign. To sign a message m under the public key ID, the protocol does: (1)
choose a randomr∈Z∗
q, (2) computeR=grmodpandβ=H2(ID||RID||RP KG||R||m),
and (3) set the signature to be (RID, RP KG, R, σ), where σ= r+ (rID+ dID)βmodq.
Verify. To verify a signature (RID, RP KG, R, σ) for message m, the protocol does: checkgσ =? R(R
IDRP KGyH1(ID||RID||RP KG))βmodp.
5.1 Security Analysis of Our ID-based Signature Scheme
To prove the security of our ID-based signature scheme, we make use of the tech-niques in [PS00], especially the Forking Lemma, which is described as follows. For details, the reader can refer to [PS00].
Lemma 5.1 (The Forking Lemma ([PS00], Theorem 13)). Let A be a probabilistic polynomial time Turing machine whose input only consists of public data. AndAcan ask to the signer withqsqueries, and can ask to the random
or-acle withqhqueries. Suppose that,Acan produce a valid signature(m, σ1, h, σ2), with probability²≥10(qs+ 1)(qs+qh)/2k, in timeT. If the triple(σ1, h, σ2)can be simulated without knowing the private key, with an indistinguishable distribu-tion probability, then there is an another machine which has control overAand produces two valid signatures(m, σ1, h, σ2) and(m, σ1, h0, σ
0
2)such that h6=h0, within time T0 ≤120686q
hT /².
Theorem 5.1. The proposed ID-based signature scheme achieves Girault’s trusted level 3.
Proof. We suppose the PKG wants to impersonate an honest user whose identity information isID. He can do the following performances:
1. choose a randomr0
ID∈Zq∗ and computeR0ID=gr
0
ID modp.
2. Perform theExtract protocol andSignprotocol of the proposed ID-based signature scheme for the messagem.
3. Output (R0
ID, RP KG, R0, σ0)
dID = rP KG +xH1(ID||RID||RP KG) modq: the arbiter randomly chooses a message m0 and sends it to the user; the user then perform the Schnorr’s sig-nature scheme (i.e., the secret singing key isdID, and the corresponding public key isRP KGyH1(ID||RID||RP KG)). If the result signature can be pass theVerify protocol of the Schnorr’s signature scheme, the arbiter deduces that the PKG is dishonest because the valuedID is computed by the PKG only (the used sig-nature is the Schnoor’s sigsig-nature scheme, the secret signing key is the PKG’s master key, the corresponding public key is the PKG’s public key, and the mes-sage is (ID||RID).).
As a result, our ID-based signature scheme achieves Girault’s trusted level
3. ut
Theorem 5.2. In the random oracle model, our ID-based signature scheme is existentially unforgeable against adaptively chosen message and ID attack un-der the assumption that the Schnorr’s signature scheme is secure against the adaptively chosen message attack in the random oracle model.
Proof. From the simulations of hash1 oracle (see Fig. 3), Extract oracle (see
Fig. 4), hash2 oracle (see Fig. 5), and Sign oracle (see Fig. 6), we can see
that the view of these simulations is indistinguishable from a view of an actual random execution of the proposed signature scheme. In other words, the signer can be simulated without knowing the master keyx, with an indistinguishable distribution.
Note that, in our scheme, since r is randomly chosen from Z∗
q, hence R is a random number. Furthermore, β is the hash value of ID||RID||RP KG||R||m, and for the same (ID, RID, RP KG), σonly depends onID||RID||RP KG||R||m, andβ.
Now, we can apply the Forking Lemma, and get two valid signatures (m, ID, RID, RP KG, R, σ) withβ and (m, ID, RID, RP KG, R, σ0) withβ. Then we have
gσ(R
IDRP KGyH1(ID||RID||RP KG))−β=gσ
0
(RIDRP KGyH1(ID||RID||RP KG))−β
0
⇒ gσ−σ0
= (RIDRP KGyH1(ID||RID||RP KG))β−β
0
⇒ gσ−σ
0
β−β0 =R
IDRP KGyH1(ID||RID||RP KG)
That is, the user’s private key is σ−σ0
β−β0. As a result, we get a valid forgery
on message m(= ID) for the Schnorr’s signature scheme, in which the secret signing key and the public key are the master key and the public key of the PKG, respectively. The valid forgery is (RIDRP KG,σ−σ
0
β−β0). Though there is a
slight difference between this forgery and the regular signature of the Schnorr’s signature scheme (H1(m||RID||RP KG) VS. H1(m||RIDRP KG)), it can be con-sidered as a difference on the construction of hash function which is the same in the random oracle model.
— For ahash1-queryH1(IDi, R1, R2), such that a record (IDi, R1, R2, α, β) appears
in listH1, the answer isβ. Otherwise the answerβis defined according to the following
rule:
1. Choose a random elementβ∈Z∗ q.
The record (IDi, R1, R2,⊥, β) is added toH1.
Fig. 3.Simulation ofhash1 oracle
— For an Extract-query with (IDi, RID), such that a record (IDi, RID, R2, α, β)
appears in list H1, the answer is (R2, α)a. Otherwise the answer (R2, α) is defined
according to the following rules:
1. Choose two random elementsα, β∈Z∗ q,
2. ComputeR2, such thatgα=R2yβ modp.
The record (IDi, RID, R2, α, β) is added toH1.
a There is a situation thatαis⊥, however, such a situation is very rare.
Fig. 4.Simulation ofExtractoracle
— For a hash2-query with (IDi, R1, R2, R3, m), such that a record
(IDi, R1, R2, R3, m, α, β) appears in list H2, the answer is β. Otherwise the
answerβis defined according to the following rule: 1. Choose a random elementβ∈Z∗
q.
The record (IDi, R1, R2, R3, m,⊥, β) is added toH2.
Fig. 5.Simulation ofhash2 oracle
— For a Sign-query with (m, ID), we produce the answer (RID, RP KG, σ) is
com-puted as following rules:
Step 1 Choose a random numberrIDand computeRID=grIDmodp.
Step 2 Issue theExtract-query with (IDi, RID) ourself, and get (R2, α).
Step 3 Computeσby using (rID, α) in theSignprotocol.
6
ID-based threshold Signature Scheme
In this section, we extend our ID-based signature scheme to two ID-based thresh-old signature scheme: Scheme 1 and Scheme 2. Furthermore, we give their secu-rity proof in this section.
6.1 Scheme 1
In this subsection, we propose our first ID-based threshold signature scheme, in which there exist a PKG, a group manager and n players, where the group manager knows the private key of this group, and distributes the shares of the private key tonplayers.
Setup. Identical to that in our ID-based signature scheme. Thre-Extract. It is an interactive protocol.
1. The group manager first chooses a random rID ∈ Zq∗, and computes RID=grID modp. At last, the user sends (ID, RID) to the PKG. 2. Upon receiving (ID, RID), the PKG does:(1) choose a randomrP KG ∈
Z∗
q, (2) compute RP KG = grP KG modp, and (3) set the private key skID←(RP KG, dID), wheredID=rP KG+xH1(ID||RID||RP KG) mod q. At last, the PKG sends the private key to the group manager. 3. Upon receiving the private key, the group manager checks
gdID =? R
P KGyH1(ID||RID||RP KG)modp.
If it does hold, the user broadcasts acomplaint against the PKG. 4. The group manager andnplayers perform theProtocol VSS, the group
manager is the dealer, and (rID+dID, RIDRP KGyH1(ID||RID||RP KG), p, q, g) is the input of theProtocol VSS.
5. As a result,rID+dIDis shared amongnplayers. Letxi be the share of Pi, andf(x) =rID+dID+
Pt−1
i=1aiximodqbe the used secret-sharing polynomial,Ai=gf(i)modp, (i= 0,· · ·, n).
Thre-Sign. LetΦbe a subset of thenon-disqualifiedplayers, andλΦ i =
Q
k∈Φ,k6=i 0i−−kk, where|Φ| ≥t. To sign a messagem, player Pi in Φdoes the following per-formances.
1. Choose a randomrPi.
2. Compute and broadcastRPi =g
rPimodp. 3. ComputeRp=
Q
i∈ΦR λΦ
i
Pi modp.
4. Compute and broadcastσPi =rPi+xiH2(RID||RP KG||Rp||m) modq. 5. Check
gσPi =? RP i(Ai)
H2(RID||RP KG||Rp||m)modp. (6)
If it does not hold, playerPibroadcasts acomplaint against playerPj. If all the players inΦare honest, the signature is (RID, RP KG, Rp, σ), where σ=Pi∈ΦλΦ
iσPimodq.
6.2 Analysis of Scheme 1
Unforgeability. Following the tradition of the security proof for threshold sig-nature schemes, we use the concept ofsimulatable adversary view [GJKR96] to prove unforgeability. The security of a simulatable ID-based threshold signature scheme equals to the security of its underlying ID-based threshold signature scheme.
Definition 6.1. An ID-based threshold signature schemeT S=(Setup,Thresh-Extract,
Thresh-Sign,Verify) is simulatable if the following properties hold:
1. The protocolThresh-Extractis simulatable. That is, there exists a simula-torSIM1 that, on input the public input , the public output, and the shares oft−1 corrupted players of an execution of Thresh-Extract, can simulate the view of the adversary on that execution.
2. The protocolThresh-Sign is simulatable. That is , there exists a simulator
SIM2 that, the public input, the public output, and the shares of t−1 cor-rupted players of an execution ofThresh-Sign, can simulate the view of the adversary on that execution.
Lemma 6.1. The scheme 1 is simulatable.
Proof. A high-level descriptions of the simulators ofThresh-ExtractandThresh-Sign are given in Fig. 7 and Fig. 8, respectively.
For a polynomialf(x) of degree t−1, f(i) can be computed from other t or moref(j)’s (we denote this set as Φ), by using f(i) =Pj∈ΦλΦ
i,jf(j), where λΦ
i,j’s are the Lagrange interpolation coefficients (i.e.,λΦi,j=
Q
k∈Φ,k6=j ji−−kk). On the other hand, if we know t or more gf(j)modp’s, we can compute gf(i) by
usinggf(i)=Q
j∈Φ(gf(j))λ Φ
i,j modp.
Following these above methods, we construct our simulators. In these two simulators, we assume w.l.o.g. that the adversary corrupted the firstt−1 play-ers P1,· · ·, Pt−1. From the viewpoint of the adversary, the output of these two
simulators is indistinguishable from the real execution of Thresh-Extractand
Thresh-Sign. Then we finish this proof. ut
Combining Theorem 5.2 and Lemma 6.1, we have the following theorem. Theorem 6.1. Our scheme 1 is unforgeable, if the Schnorr’s signature scheme is unforgeable.
Robustness. The following theorem can be easily proven by inspection of the scheme 1.
SIM1 for scheme 1
input:y,RID,RP KG,ID,t−1 sharesxi’s of the corrupted player
1. TheSIM1 computes
Ai= (RIDRP KGyH1(ID||RID||RP KG))λi,0 t−1 Y
j=1
(gxj)λi,j modp,
fori=t,· · ·, n. Notice that thet−1 corrupted players can pass the Equation 1. 2. Follow the Step 2 of Protocol VSS.
Fig. 7.Simulator forThresh-Extractof scheme 1.
SIM2 for scheme 1
input:y,RID,RP KG,ID,t−1 sharesxi’s of the corrupted player
1. After the t−1 corrupted players broadcast RPi(i = 1,· · ·, t−1), the SIM2 computes and broadcasts
RPi =R
λi,0
p t−1 Y
j=1 Rλi,j
Pj modp,
fori=t,· · ·, n.
2. TheSIM2 setf(x) as a polynomial of degreet−1, such thatf(0) =σ,f(i) =
σi(i= 1,· · ·, t−1). And thenSIM2 computesσi=f(i) modq fori=t,· · ·, n.
Notice thatσican pass the Equation 6.
6.3 Scheme 2
In this subsection, we propose our second ID-based threshold signature scheme. In this scheme, there still exist a PKG, andnplayers. However, there is no one knows the private key of thesenplayers.
Setup. Identical to that in our ID-based signature scheme. Thre-Extract. It is an interactive protocol.
1. Thenplayers perform theProtocol DKG. (p, q, g, h) is the input of the Protocol DKG, where h is a random number inZp, and no one knows the discrete logarithm ofh.2 Let the final shares of playerP
ibe (xi, x0i), and f1(x) =
Pt−1
i=0aiximodq and f2(x) = Pt−1
i=0biximodq are the final secret-sharing polynomials, such that f1(i) = xi and f2(i) = x0i, Ai=gf1(i)modp, (i= 0,· · ·, n). At last, setRID=A0.
2. Upon receiving the tuple (ID, RID), the PKG does: (a) Choose a randomrP KG ∈Zq∗.
(b) Compute and broadcastRP KG=grP KGmodp.
(c) Set the private key skID ← (RP KG, dID), where dID = rP KG+ xH1(ID||RID||RP KG) modq.
(d) The PKG andnplayers performProtocol VSS. The input ofProtocol VSSis (p, q, g, dID, RP KGyH1(ID||RID||RP KG)). As a result, the PKG distributes dID amongn players. LetdPi be the share of playerPi, f3(x) = dID +
Pt−1
i=1cixi modq be the secret-sharing polynomial, such that f3(i) = dPi, Bi = g
f3(i)modp(i = 0,· · ·, n). At last, set
RP KG=B0.
Thre-Sign. LetΦbe a subset of thenon-disqualifiedplayers, andλΦ i =
Q
k∈Φ,k6=i 0i−−kk, where|Φ| ≥t. To sign a messagem, player Pi in Φdoes the following per-formances.
1. Choose a randomrPi.
2. Compute and broadcastRPi =grPimodp. 3. ComputeRp=
Q
i∈ΦR λΦ
i
Pi modp.
4. Compute and broadcastσPi =rPi+ (xi+dPi)H2(RID||RP KG||Rp||m). 5. Check
gσPi =? R
Pi(Aj·Bj)
H2(RID||RP KG||Rp||m)modp. (7)
If it does not hold, playerPibroadcasts acomplaint against playerPj. If all the players inΦare honest, the signature is (RID, RP KG, Rp, σ), where σ=Pi∈ΦλΦ
iσPimodq.
Verify. Identical to that in our ID-based signature scheme.
6.4 Analysis of Scheme 2
Unforgeability. Like the security proof of scheme 1, we also use the simulator to prove scheme 2 is unforgeable.
Lemma 6.2. Scheme 2 is simulatable.
Proof. Due to the simulator for Thresh-Sign of scheme 2 is the same as that in scheme 1, we only give the simulator of Thresh-Extract (see Fig. 9). As mentioned in the proof of Lemma 6.1, the output of the simulator is indistin-guishable from that in the real execution of Thresh-Signof scheme 2, from the adversary’s viewpoint.
As a result, we finish the proof of this lemma. ut
SIM1 for scheme 2
input:y,RID,RP KG,ID,t−1 shares (xi, dPi)’s of the corrupted players.
1. TheSIM1 runs Steps 1(a), 1(b), 1(c), 1(e), 1(f) ofProtocol DKGon the behalf of the uncorrupted players. Letfi(x) =
Pt−1 j=0aijx
j(i= 1,· · ·, n) be the
secret-sharing polynomial dealt by player Pi. Denote by xi the final share of player Pi.
2. The SIM1 computes Bij =gfi(j)modpfori= 1,· · ·, n and j = 1,· · ·, n. For
player Pn doe the following: Set Bn0 = RID· Qn−1
i=1(Bi0)
−1 modp. Compute Bni =Bλni,00
Qt−1 i=j(g
xj)λi,jmodp, where λi,j’s are known coefficients. For each playerPi, (i=t,· · ·, n) broadcastsBij forj= 1,· · ·, n.
3. TheSIM1 runs Steps 1(h), 1(i), 2 ofProtocol DKG.
4. The SIM1 runs theSIM1 for scheme 1 on the input: (y, RID, RP KG, ID, t−
1 sharesdPi’s of the corrupted players).
Fig. 9.Simulator forThresh-Extractof scheme 2.
Combining Theorem 5.2 and Lemma 6.2, we have the following theorem. Theorem 6.3. Our scheme 2 is unforgeable, if the Schnorr’s signature scheme is unforgeable.
Robustness. The following theorem can be easily proven by inspection of the scheme 2.
Theorem 6.4. Scheme 2 is (t, n) robust, if onlyn≥2t−1.
7
Performance Evaluation
In this section, in terms of computational complexity, we show that the efficiency of our ID-based threshold signature schemes is high. The performance evaluation notations are defined as follows:
Texp time for a modular exponetiation computation Tmul time for a multiplication computation
Like Chenet al.’s scheme, our scheme 1 also has a group manager, while our scheme 2 does not require such a group manager. Furthermore, Chen et al.’s scheme is considered as the best scheme among the existing schemes. Hence, we only give the comparison between Chenet al.’s scheme and our scheme 1, which is shown in Table 1.
From Table 1, our scheme 1 are more efficient than Chen et al.’s scheme, especially inThresh-Sign.
Table 1.The comparison of computational complexitya
Chenet al.’s scheme Our scheme 1
Setup the group manager 1Texp 1Texp
the PKG 1Texp 1Texp+ 1Tmul
Thresh-Extract the group manager nTexp+nTe nTexp
Thresh-Sign Generating a partial signature (2 + 3t)Texp+ (3t−2)Tmul+ 4Te(t+ 1)Texp+tTmul
Combining partial signatures 2tTexp+ 2(t−1)Tmul tTexp+ (t−1)Tmul
Verify 2Texp+ 2Tmul+ 6Te 3Texp+ 3Tmul a We omit the computational complexity of the data’s verification.
8
Conclusion
In this paper, we propose a new ID-based signature scheme without pairings, in which there is on trusted PKG. And then we extend it to be two ID-based threshold signature schemes. In both of these two schemes, there is only one PKG who is not assumed to be trusted. Furthermore, the second scheme does not require trusting any particular party at any time. Our schemes are more efficient than the existing schemes in terms of computation complexity.
References
[BF01] D. Boneh, M. Franklin. Identity-Based Encryption from the Weil Pairing. In Crypto ’01, LNCS 2139, Springer-Verlag, pp. 231-229, 2001.
[BF03] D. Boneh, M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003.
[BZ04a] J. Baek and Y. Zheng. Identity-Based Threshold Decryption. In PKC 2004, LNCS 2947, Springer-Verlag, pp. 262-276, 2004.
[BZ04b] J. Baek and Y. Zheng. Identity-Based Threshold Signature Scheme from the Bilinear Pairings. InProceeding of the international Conference on Information and Technology: Coding and Computing (ITCC’04), pp. 124-128, 2004. [CC03] J. Cha and J. H. Cheon. An Identity-Based Signature from Gap Diffie-Hellman
Groups.In PKC ’03, LNCS 2567, pp. 18-30, Springer-Verlag, 2003.
[CZKK04] X. Chen, F. Zhang, D. M. Konidala, and K. Kim. New ID-Based Threshold Signature Scheme from Bilinear Pairings. InINDOCRYPT 2004, LNCS 3348, Springer-Verlag, pp. 371-383, 2004.
[Fel87] P. Feldman. A practical Scheme for Non-interactive Verifiable Secret Sharing. InProc. 28th FOCS, pp. 427-437, 1987.
[Gir91] M. Girault. Self-certified public kyes. In EUROCRYPT 1991, LNCS 547, pp. 490-497, 1991.
[GJKR96] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust Threshold DSS Signatures. InEUROCRYPT 1996, pp. 354-371, 1996.
[GJKR99] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in) security of dis-tributed key generation in dlog-based cryptosystems. InEUROCRYPT 1999, LNCS 1592, pp. 295-310, 1999.
[Hes02] F. Hess. Efficient Identity Based Signature Schemes Based on Pairings.In SAC ’02, LNCS 2595, pp. 310-324, Springer-Verlag, 2003.
[Pat02] K. G. Paterson. ID-based signatures from pairings on elliptic curves. Avaiable from http://eprint.iacr.org/2002/004.
[Ped91] T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. InCrypt ’91, LNCS 576, pp. 129-140, 1991.
[PS00] D. Pointcheval and J. Stern. Security Arguments for Digital Signatures and Blind Signatures.Journal of Cryptology, (2000) 13, pp. 361-396, 2000. [Sch91] C. P. Schnorr, “Efficient signature generation by smart cards,” Journal of
Cryptology, Vol. 4, No. 3, pp. 161-174, 1991.
[Sha84] A. Shamir. Identity-based cryptosystems and signature schemes. In Crypto ’84, LNCS 196, Springer-Verlag, pp. 47-53, 1984.